Wireguard problems (Handshake did not complete)

peter-lustig · March 11, 2023, 8:04pm

So I had this problem for hours now, can someone please help.

I get the following error: Handshake did not complete after 5 seconds, retrying (try 2) when trying to connect to my VPN server on my iPhone with the wireguard app. I am using cellular data.

Here is my nixos configuration for the server (taken from WireGuard - NixOS Wiki):

  networking = {
    hostName = "mainserver";
    firewall = {
      allowedTCPPorts = [ 80 443 ];
      allowedUDPPorts = [ 51820 ];
    };
    nat = {
      enable = true;
      externalInterface = "eth0";
      internalInterfaces = [ "wg0" ];
    };
    wireguard.interfaces = {
      wg0 = {
        ips = [ "10.100.0.1/24" ];
        listenPort = 51820;
        postSetup = ''
          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
        '';
        postShutdown = ''
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
        '';
        privateKeyFile = config.age.secrets.mainserver-wireguard-private-key.path;
        peers = [
          {
            publicKey = "LCxf7Ca6aEn20rxDn6FiaGw3sdbwnhbi7FdW3dtf7SM=";
            allowedIPs = [ "10.100.0.2/32" ];
          }
        ];
      };
    };
  };

And here is the configuration for the connection from my iPhone on the wireguard app:

Name: wg0

Private key: ...
Public key: LCxf7Ca6aEn20rxDn6FiaGw3sdbwnhbi7FdW3dtf7SM=

Addresses: 10.100.0.2/24
Listen port: 51820

Peer:
Public Key: AkiIkN8GzP4niStQxivaOD+0eMyUkru8oHLnrMNCTz8=
Endpoint: <public-server-ip>:51820
Allowed Ips: 0.0.0.0/0
Persistent keepalive: 25

I also opened the port 51820 on my server, so that should cause no trouble.

Am I doing anything wrong? Again, the error is Handshake did not complete after 5 seconds, retrying (try 2). I already tried to recreate the keys which some people suggested, but that did not help unfortunately. It might also be good to know that I have DSL internet and a FritzBox router.

TinHead · March 12, 2023, 7:29pm

Hi,

Check if UDP 51820 is actually reachable from outside, some providers disallow ports.

peterhoeg · March 13, 2023, 2:20am

How about trying from another computer rather than a phone? Debugging from a device with an actual keyboard is going to be far more pleasant.

peter-lustig · March 14, 2023, 9:46pm

@peterhoeg @TinHead

I get no errors anymore after setting it up again with new keys. The problem that I have now is that once I connect to the VPN I can access the internet but the ip just stays the same.

I only tried it with cellular data as I had no chance of trying it from another network. But I mean that should work as well.

Any ideas?

TinHead · March 15, 2023, 9:22am

What ip are you referring to?
The wireguard ip is obviously fixed.

peter-lustig · March 15, 2023, 6:34pm

@TinHead i go to the website https://www.whatismyip.com/

With my cellular data. And it shows up the ip address. But then when I turn the vpn connection on, instead of the ip changing to my home network address it stays the same.

NobbZ · March 15, 2023, 6:43pm

Do you actually route all traffic through your VPN, or 10.100.0.0/24 only?

peter-lustig · March 15, 2023, 7:14pm

@NobbZ on my phone WireGuard client:

Addresses: 10.100.0.2/24

And on my server:

Ips: 10.100.0.1/24
AllowedIPS: 10.100.0.2/32

NobbZ · March 15, 2023, 7:42pm

I didn’t ask about the IPs you use, I was asking if you route all the traffic over wireguard or only the traffic that is dedicated to the wireguard IPs?

If you don’t route all the traffic via wireguard, then your IP won’t change, obviously.

If you route all traffic via wireguard and haven’t set up your wireguard “server” for actual routing, your phone would be offline once connected to the VPN.

If you route all the traffic via wireguard and at up your wireguard server for proper routing and maybe natting, then your IP shown by the service would indeed change.

peter-lustig · March 15, 2023, 7:45pm

@NobbZ i do not really know to be honest. I can only tell you that I send an endpoint to the public ip of my server and opened the proper port for the server on my router.

Can you tell me where I can check what you talked about? Sorry, this is my first time working with a vpn

NobbZ · March 15, 2023, 7:49pm

If you have configured it, you would know it probably, if you don’t know you probably haven’t configured anything, so only 10.100.0.0/24 is routed.

Try a random ping program to ping 10.100.0.1 from your phone and 10.100.0.2 from your computer, while wireguard is active of course.

It will probably succeed. So you’re set up.

If you need more than that, that’s a complete different story and involves more than just setting up the wireguard service.

peter-lustig · March 15, 2023, 8:03pm

@NobbZ when I have WireGuard on and ping the ip address you mentioned on my phone, I only get Request time out.

But I CAN access the internet with the vpn on

All I followed was the NixOS wiki and then the first two configs for Server and client to have a simple vpn connection to my home server

Any idea what I am doing wrong now

NobbZ · March 15, 2023, 8:10pm

So the WireGuard is still not correctly set up.

As long as the devices can not ping each other the VPN is not fully active.

I have to say though, I have no experience using WireGuard. So far all my experiences have been using ZeroTier and OpenVPN, and I also never wanted to route everything, only the VPN traffic.

peterhoeg · March 16, 2023, 12:44am

As mentioned before, I suggest you use a laptop instead and then share the NixOS configuration for both the server and client. That will make things a lot easier for everyone involved.